Upgrade to remove ads
8.1 Group Policy foundations
Terms in this set (59)
Use account policies to control the following:
Password settings. Account lockout settings. Kerberos settings.
Policies that are in effect only when configured in a GPO linked to the domain itself. They can't be applied if the GPO is linked to an OU.
Use these policy settings to configure auditing for events, such as log on, account management, or privilege use.
User Rights Assignment
Computer policies include a special category of policies called user rights. User rights identify system maintenance tasks and the users or groups who can perform them.
Examples of user rights include: Access this computer from the network (the ability to access resources on the computer through a network connection). Load and unload device drivers. Back up files and directories (does not include restoring files and directories). Shut down the system. Remove a computer from a docking station.
Allow you to apply or disable rights for all of the users the policy applies to.
Example options policies include: Computer shut down when Security event log reaches capacity. Unsigned driver installation.
You can use these policies to: Configure specific registry keys and values. Specify if a user can view and/or change a registry value, view sub-keys, or modify key permissions.
File System policies
Use these policies to configure file and folder permissions that apply to multiple computers. For example, you can limit access to specific files that appear on all client computers.
Software Restriction Policies
Use these policies to define the software permitted to run on any computer in the domain. You can apply these policies to specific users or all users. You can use software restrictions to:
Identify allowed or blocked software. Allow users to run only specified files on multi-user computers. Determine who can add trusted publishers. Apply restrictions to specific users or all users.
Registry-based settings that you can configure within a GPO to control the computer and overall user experience.
Use of Windows features such as BitLocker, offline files, and parental controls. Customize the Start menu, taskbar, or desktop environment. Control notifications. Restrict access to Control Panel features. Configure Internet Explorer features and options
Starter Group Policy Objects
Allow you to store a collection of administrative template policy settings in a single object.
When you create a new GPO from a starter GPO, the new GPO has all of the Administrative template policy settings and values that were defined in the starter GPO. You can easily distribute starter GPOs by exporting and then importing them to another environment.
Is a set of configuration settings applied to objects such as users or computers.
Allow the administrator to apply multiple settings to multiple objects within the Active Directory domain at one time.
Group policy object (GPO)
Collections of policy settings are stored in this place. Includes registry settings, scripts, templates, and software-specific configuration values.
local Group Policy settings
Computers that are not part of a domain use these settings to control security settings and other restrictions on the computer. These settings are also applied to to domain joined computers.
domain Group Policy settings
This Group Policy overrides local Group Policy if a particular policy setting is defined in both places.
To manage local Group Policy, use Microsoft Management Console (MMC):
1. Enter mmc at the command line to launch Microsoft Management Console.
2. Add the Group Policy Object Editor snap-in from the File menu. By default, it will add the Local Computer Group Policy snap-in.
3. Select Users to edit Local Group Policy for specific users on the computer.
Group Policy Object Editor
Snap-in from the File menu of the Microsoft Management Console. By default, it will add the Local Computer Policy snap-in. You can save it to allow for easy access in the future
Entered at the command line to launch Microsoft Management Console.
You can also access the local Group Policy snap-in directly by entering this command at the command line.
Group Policy Objects (GPOs)
Objects that can be linked to Active Directory sites, domains, and organizational units (OUs).
Group Policy Management console
Use it to link a GPO to one of these objects.
Be aware of the following when applying a GPO:
· A GPO applied to an OU affects the objects in the OU and sub-OUs.
· A GPO applied to a domain affects all objects in all OUs in the domain.
Containers such as the Computers container, and folders cannot have GPOs linked to them.
Once the GPO has been linked, you can edit various policy settings within it. When linking Group Policies:
· The Default Domain Controllers policy is linked to the domain controllers OU by default.
· On the Linked Group Policy Objects tab, you can change the link order of Group Policies.
· The Group Policy Inheritance tab lists the order in which Group Policies will be applied.
· To delete a Group Policy, you must delete it from the Group Policy Objects container.
Default Domain Controllers policy
o Linked to the domain controllers OU by default.
o This policy increases security of the domain controllers.
o You can run the dcgpofix command to restore the original settings of the Default Domain Controllers Group Policy.
Command to restore the original settings of the Default Domain Controllers Group Policy.
Linked Group Policy Objects
Tab where you can change the link order of Group Policies.
Group Policy Inheritance
Tab that lists the order in which Group Policies will be applied. The policies are listed in reverse order of precedence, meaning that the last policy on the list--the one with the highest precedence number--will be applied first.
Group Policy permissions
Control the operations that users can perform on the GPO as well as the application of the GPO to the user.
Assigning GPO Permissions
· To apply settings to a user, the user must have the Allow Read and Apply Group Policy permissions.
· By default, each GPO grants the Authenticated Users group (essentially, all network users) the Allow Read and Apply Group Policy permissions. This means that, by default, GPO settings apply to all users.
· Permissions also control who can edit Group Policy settings and manage the GPO.
You can use these templates to create Group Policies to manage Microsoft Office or in-house applications.
File types for Administrative Templates use an XML-based file format that allows multi-language support and version control
The Administrative Template files and require Windows Vista or later to edit.
Contain the language-specific Administrative Template files.
The pre-XML format used for Administrative Templates. This older format is still usable in current versions of Windows Server.
The policy is stored locally, and the settings are saved to Group Policy on the domain controller.
Allows Administrative Templates to be available to be edited by other domain administrators.
Where Group Policies are kept, a share that is created when you install Active Directory. All domain controllers in the domain have a replicated copy of it.
To create a central store:
oCreate a folder named PolicyDefinitions in file:\\FQDN\SYSVOL\FQDN\. For example:
oCopy the contents of the local PolicyDefinitions folder to the PolicyDefinitions folder on SYSVOL. The path of the local PolicyDefinitions folder is typically:
Keep in mind the following about GPOs:
· If possible, combine multiple settings into one Group Policy. Reducing the number of Group Policies that require processing reduces boot and logon time.
· The Default Domain policy contains the only account and password policies that are going to take effect unless you create a password settings object (PSO).
· GPOs do not exist at the forest level. To enforce a GPO in multiple domains, create the GPO in one domain, export it, and then import it into other domains.
Policies that are enforced for the entire computer and are applied when the computer boots.
These policies are in effect regardless of the user logging into the computer.
Policies that are initially applied as the computer boots and are enforced before any user logs on.
Computer policies include:
· Software that should be installed on a specific computer.
· Scripts that should run at startup or shutdown.
· Password restrictions that must be met for all user accounts.
· Network communication security settings.
· Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree).
Policies that are enforced for specific users.
Policies that are initially applied as the user logs on. They often customize Windows based on user preferences.
User policy settings include:
· Software that should be installed for a specific user.
· Scripts that should run at logon or logoff.
· Internet Explorer user settings, such as favorites and security settings.
· Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree).
A Windows feature that allows Active Directory administrators to implement specific configurations for users and computers.
Group Policy Object
A collection of settings that control how a computer will behave.
Local Group Policy
The set of group policy objects for standalone and non-domain computers.
Policies that run before any user policies run.
A command-line tool that enables you to immediately invoke settings from GPOs you have modified.
A command line tool that displays the Local Group Policy Editor where you can make changes to the OS
Sequence used to process policies: Local Policies, Site Policies, Domain Policies, and then Organizational Unit Policies.
THIS SET IS OFTEN IN FOLDERS WITH...
3.6.3 Nano Server Facts
5.4.10 Data Center Bridging Facts
7.5.5 User Account Facts
8.9.3 Group Policy Preference Facts
OTHER SETS BY THIS CREATOR
TestOut Server Pro 2016: Install and Storage - CHA…
TestOut Server Pro 2016: Install and Storage - 15.…
3.10.3 BIOS/UEFI Facts
OTHER QUIZLET SETS
Midterm 1: Theoretical Perspectives and ABs
abnormal psych exam 2 book
Whiplash Associated Disorder